GSA Centers of Excellence cyber official urges greater adoption of bug bounties

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

In the federal IT world, modernization often gets measured through dashboards and scorecards. But when it comes to moving from on-site data centers to the cloud, agencies face substantial workforce and culture challenges that aren’t always reflected in those metrics.

Dan Jacobs, the senior security architect for the Centers of Excellence at the General Services Administration’s Technology Transformation Service, said the biggest hurdles to cloud migration often boil down to people and culture.

Advertisement

“In your cloud journey, the greatest challenge may be to change the narrative away from incentivizing product-heavy, siloed security models. Some of those may look great on a dashboard, but we need to move the incentive toward outcome-based, cooperative systems that are directly aimed at the relevant, credible threats that you’re experiencing today,” Jacobs said Thursday at Symantec’s office in Washington.

That focus on collaboration shouldn’t be too much of a surprise. GSA’s Centers of Excellence focus on building a common set of tools for agencies to transform their IT architecture and the way they deliver services. But if there’s one tool that agencies aren’t taking enough advantage of, Jacobs said it’s bug bounties.

“What we’re saying is that I am going to hire thousands and thousands of security researchers to look at my stuff, to deliver vulnerabilities, and I’m going to pay them what I think those vulnerabilities are worth,” Jacobs said. “You are not going to find a whole [lot] of other opportunities where you get to decide how much you pay thousands of security researchers to work persistently for you. It is a fantastic opportunity.”

The Defense Department launched its Hack the Pentagon initiative in 2016, which has spread to the military services, but the adoption has been slower in civilian agencies.

GSA launched its bug bounty program in 2017, while the Census Bureau launched its bug bounty earlier this year as part of its prep work for the 2020 census.

In January, President Donald Trump signed a bill authorizing a bug bounty program at the Department of Homeland Security, but officials at other national security agencies like the FBI have said they plan on keeping their penetration testing in-house.

Energy Dept. ramps up cloud migration, data center consolidation

But other agencies have faced similar people-centric challenges when it comes to moving to the cloud. Denise Hill, the Energy Department’s acting deputy CIO for enterprise policy, said the agency and its national labs, has had some early cloud adopters, as well as those who were less than ready for the change.

But after navigating that culture change, Hill said the agency is moving its headquarters desktop infrastructure to the cloud. The agency is also consolidating its data centers in Albuquerque, New Mexico, and Germantown, Maryland, and moving those systems to the cloud.

“We took it slow and we took it easy with moving some early, smaller applications into the cloud to make sure that they were fully functioning. We kicked the tires on it,” Hill said. “Then [we] put together a schedule to move other, more aggressive applications to the same cloud. But we wanted to start early, get some lessons learned, make some adjustments and then schedule the next round.”

Andrew Marquardt, the chief enterprise architect of the Interior Department’s Bureau of Reclamation, said rather than just moving systems or applications to the cloud, the bureau looked its cloud migration journey in terms of moving work systems, which Marquardt defined as “any combination of automated, manual, semiautomated processes that you use to accomplish work.”

Running the numbers, Marquardt said the agency’s program offices had anywhere from three-to-five work systems, while larger offices up to 15 work systems.

“When we’ve been able to do that and really automate a lot of those work systems and take advantage of the cloud, and open them up so people can do things from their phones or tablets, we’ve seen tremendous efficiencies come up,” he said.

But the move to the cloud isn’t a one-size-fits-all approach. Marquardt said the bureau also needed to consider building a cloud solution that worked for employees out in the field.

“We have people that are literally going to sites that they either have to take Jeeps in the summer or snowshoes in the winter to access them. There’s no cell signal up there, there’s no WiFi up there,” he  said. “If we designed those kinds of solutions with the average user in mind, that whole thing and all of our cloud adoption, from a cultural perspective, would have been ‘Who cares? This thing doesn’t work when I need it.'”

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.